First, let's all acknowledge the tragic irony of exposing HIPAA protected information because of phony HIPAA audit program correspondence. It is, however, a pretty common strategy. Most of these scams attempt to scare users so they will hastily click a malicious link. For example, say you get a message that appears to be from your bank that reads, "We recently closed your account per your request. If this is incorrect, click here."
"WAIT A MINUTE?!" you may think. "I didn't close my account. I should click here and get this straightened out right away. Ok, I see all I need to do to clear up this matter is enter my social security number, my birthday, my mother's maiden name, my favorite pet's name, and the model of my first car...seems reasonable."